diff options
author | Junio C Hamano <gitster@pobox.com> | 2024-05-14 07:53:46 -0700 |
---|---|---|
committer | Junio C Hamano <gitster@pobox.com> | 2024-05-14 07:53:46 -0700 |
commit | 81632a6851a67a669f4118f317c4c317597f3580 (patch) | |
tree | d2134236e1e1eeac75b067ffea4f230cae79baa8 | |
parent | 1365ca3bda21f91694f354abdb3459692fcbcf1c (diff) | |
download | git-htmldocs-master.tar.gz |
29 files changed, 313 insertions, 18 deletions
diff --git a/RelNotes/2.39.4.txt b/RelNotes/2.39.4.txt new file mode 100644 index 000000000..7f54521fe --- /dev/null +++ b/RelNotes/2.39.4.txt @@ -0,0 +1,79 @@ +Git v2.39.4 Release Notes +========================= + +This addresses the security issues CVE-2024-32002, CVE-2024-32004, +CVE-2024-32020 and CVE-2024-32021. + +This release also backports fixes necessary to let the CI builds pass +successfully. + +Fixes since v2.39.3 +------------------- + + * CVE-2024-32002: + + Recursive clones on case-insensitive filesystems that support symbolic + links are susceptible to case confusion that can be exploited to + execute just-cloned code during the clone operation. + + * CVE-2024-32004: + + Repositories can be configured to execute arbitrary code during local + clones. To address this, the ownership checks introduced in v2.30.3 + are now extended to cover cloning local repositories. + + * CVE-2024-32020: + + Local clones may end up hardlinking files into the target repository's + object database when source and target repository reside on the same + disk. If the source repository is owned by a different user, then + those hardlinked files may be rewritten at any point in time by the + untrusted user. + + * CVE-2024-32021: + + When cloning a local source repository that contains symlinks via the + filesystem, Git may create hardlinks to arbitrary user-readable files + on the same filesystem as the target repository in the objects/ + directory. + + * CVE-2024-32465: + + It is supposed to be safe to clone untrusted repositories, even those + unpacked from zip archives or tarballs originating from untrusted + sources, but Git can be tricked to run arbitrary code as part of the + clone. + + * Defense-in-depth: submodule: require the submodule path to contain + directories only. + + * Defense-in-depth: clone: when symbolic links collide with directories, keep + the latter. + + * Defense-in-depth: clone: prevent hooks from running during a clone. + + * Defense-in-depth: core.hooksPath: add some protection while cloning. + + * Defense-in-depth: fsck: warn about symlink pointing inside a gitdir. + + * Various fix-ups on HTTP tests. + + * Test update. + + * HTTP Header redaction code has been adjusted for a newer version of + cURL library that shows its traces differently from earlier + versions. + + * Fix was added to work around a regression in libcURL 8.7.0 (which has + already been fixed in their tip of the tree). + + * Replace macos-12 used at GitHub CI with macos-13. + + * ci(linux-asan/linux-ubsan): let's save some time + + * Tests with LSan from time to time seem to emit harmless message that makes + our tests unnecessarily flakey; we work it around by filtering the + uninteresting output. + + * Update GitHub Actions jobs to avoid warnings against using deprecated + version of Node.js. diff --git a/RelNotes/2.40.2.txt b/RelNotes/2.40.2.txt new file mode 100644 index 000000000..646a2cc3e --- /dev/null +++ b/RelNotes/2.40.2.txt @@ -0,0 +1,7 @@ +Git v2.40.2 Release Notes +========================= + +This release merges up the fix that appears in v2.39.4 to address +the security issues CVE-2024-32002, CVE-2024-32004, CVE-2024-32020, +CVE-2024-32021 and CVE-2024-32465; see the release notes for that +version for details. diff --git a/RelNotes/2.41.1.txt b/RelNotes/2.41.1.txt new file mode 100644 index 000000000..9fb4c218b --- /dev/null +++ b/RelNotes/2.41.1.txt @@ -0,0 +1,7 @@ +Git v2.41.1 Release Notes +========================= + +This release merges up the fix that appears in v2.39.4 and v2.40.2 +to address the security issues CVE-2024-32002, CVE-2024-32004, +CVE-2024-32020, CVE-2024-32021 and CVE-2024-32465; see the release +notes for these versions for details. diff --git a/RelNotes/2.42.2.txt b/RelNotes/2.42.2.txt new file mode 100644 index 000000000..dbf761a01 --- /dev/null +++ b/RelNotes/2.42.2.txt @@ -0,0 +1,7 @@ +Git v2.42.2 Release Notes +========================= + +This release merges up the fix that appears in v2.39.4, v2.40.2 +and v2.41.1 to address the security issues CVE-2024-32002, +CVE-2024-32004, CVE-2024-32020, CVE-2024-32021 and CVE-2024-32465; +see the release notes for these versions for details. diff --git a/RelNotes/2.43.4.txt b/RelNotes/2.43.4.txt new file mode 100644 index 000000000..0a842515f --- /dev/null +++ b/RelNotes/2.43.4.txt @@ -0,0 +1,7 @@ +Git v2.43.4 Release Notes +========================= + +This release merges up the fix that appears in v2.39.4, v2.40.2, +v2.41.1 and v2.42.2 to address the security issues CVE-2024-32002, +CVE-2024-32004, CVE-2024-32020, CVE-2024-32021 and CVE-2024-32465; +see the release notes for these versions for details. diff --git a/RelNotes/2.44.1.txt b/RelNotes/2.44.1.txt new file mode 100644 index 000000000..b5135c328 --- /dev/null +++ b/RelNotes/2.44.1.txt @@ -0,0 +1,8 @@ +Git v2.44.1 Release Notes +========================= + +This release merges up the fix that appears in v2.39.4, v2.40.2, +v2.41.1, v2.42.2 and v2.43.4 to address the security issues +CVE-2024-32002, CVE-2024-32004, CVE-2024-32020, CVE-2024-32021 +and CVE-2024-32465; see the release notes for these versions +for details. diff --git a/RelNotes/2.45.1.txt b/RelNotes/2.45.1.txt new file mode 100644 index 000000000..3b0d60cfa --- /dev/null +++ b/RelNotes/2.45.1.txt @@ -0,0 +1,8 @@ +Git v2.45.1 Release Notes +========================= + +This release merges up the fix that appears in v2.39.4, +v2.40.2, v2.41.1, v2.42.2, v2.43.4 and v2.44.1 to address the +security issues CVE-2024-32002, CVE-2024-32004, CVE-2024-32020, +CVE-2024-32021 and CVE-2024-32465; see the release notes for +these versions for details. diff --git a/fsck-msgids.txt b/fsck-msgids.txt index f643585a3..5edc06c65 100644 --- a/fsck-msgids.txt +++ b/fsck-msgids.txt @@ -164,6 +164,18 @@ `nullSha1`:: (WARN) Tree contains entries pointing to a null sha1. +`symlinkPointsToGitDir`:: + (WARN) Symbolic link points inside a gitdir. + +`symlinkTargetBlob`:: + (ERROR) A non-blob found instead of a symbolic link's target. + +`symlinkTargetLength`:: + (WARN) Symbolic link target longer than maximum path length. + +`symlinkTargetMissing`:: + (ERROR) Unable to read symbolic link target's blob. + `treeNotSorted`:: (ERROR) A tree is not properly sorted. diff --git a/git-fsck.html b/git-fsck.html index 148c3b9c8..6ab20f672 100644 --- a/git-fsck.html +++ b/git-fsck.html @@ -1507,6 +1507,38 @@ by setting the corresponding <code>fsck.<msg-id></code> configuration vari </p>
</dd>
<dt class="hdlist1">
+<code>symlinkPointsToGitDir</code>
+</dt>
+<dd>
+<p>
+ (WARN) Symbolic link points inside a gitdir.
+</p>
+</dd>
+<dt class="hdlist1">
+<code>symlinkTargetBlob</code>
+</dt>
+<dd>
+<p>
+ (ERROR) A non-blob found instead of a symbolic link’s target.
+</p>
+</dd>
+<dt class="hdlist1">
+<code>symlinkTargetLength</code>
+</dt>
+<dd>
+<p>
+ (WARN) Symbolic link target longer than maximum path length.
+</p>
+</dd>
+<dt class="hdlist1">
+<code>symlinkTargetMissing</code>
+</dt>
+<dd>
+<p>
+ (ERROR) Unable to read symbolic link target’s blob.
+</p>
+</dd>
+<dt class="hdlist1">
<code>treeNotSorted</code>
</dt>
<dd>
diff --git a/git-upload-pack.html b/git-upload-pack.html index 9a9a70402..dffb10f05 100644 --- a/git-upload-pack.html +++ b/git-upload-pack.html @@ -834,10 +834,47 @@ repository. For push operations, see <em>git send-pack</em>.</p></div> variable to be passed. See the discussion in <a href="git.html">git(1)</a>.
</p>
</dd>
+<dt class="hdlist1">
+<code>GIT_NO_LAZY_FETCH</code>
+</dt>
+<dd>
+<p>
+ When cloning or fetching from a partial repository (i.e., one
+ itself cloned with <code>--filter</code>), the server-side <code>upload-pack</code>
+ may need to fetch extra objects from its upstream in order to
+ complete the request. By default, <code>upload-pack</code> will refuse to
+ perform such a lazy fetch, because <code>git fetch</code> may run arbitrary
+ commands specified in configuration and hooks of the source
+ repository (and <code>upload-pack</code> tries to be safe to run even in
+ untrusted <code>.git</code> directories).
+</p>
+<div class="paragraph"><p>This is implemented by having <code>upload-pack</code> internally set the
+<code>GIT_NO_LAZY_FETCH</code> variable to <code>1</code>. If you want to override it
+(because you are fetching from a partial clone, and you are sure
+you trust it), you can explicitly set <code>GIT_NO_LAZY_FETCH</code> to
+<code>0</code>.</p></div>
+</dd>
</dl></div>
</div>
</div>
<div class="sect1">
+<h2 id="_security">SECURITY</h2>
+<div class="sectionbody">
+<div class="paragraph"><p>Most Git commands should not be run in an untrusted <code>.git</code> directory
+(see the section <code>SECURITY</code> in <a href="git.html">git(1)</a>). <code>upload-pack</code> tries to
+avoid any dangerous configuration options or hooks from the repository
+it’s serving, making it safe to clone an untrusted directory and run
+commands on the resulting clone.</p></div>
+<div class="paragraph"><p>For an extra level of safety, you may be able to run <code>upload-pack</code> as an
+alternate user. The details will be platform dependent, but on many
+systems you can run:</p></div>
+<div class="literalblock">
+<div class="content">
+<pre><code>git clone --no-local --upload-pack='sudo -u nobody git-upload-pack' ...</code></pre>
+</div></div>
+</div>
+</div>
+<div class="sect1">
<h2 id="_see_also">SEE ALSO</h2>
<div class="sectionbody">
<div class="paragraph"><p><a href="gitnamespaces.html">gitnamespaces(7)</a></p></div>
@@ -854,7 +891,7 @@ repository. For push operations, see <em>git send-pack</em>.</p></div> <div id="footer">
<div id="footer-text">
Last updated
- 2023-10-23 14:43:46 PDT
+ 2024-05-14 07:52:20 PDT
</div>
</div>
</body>
diff --git a/git-upload-pack.txt b/git-upload-pack.txt index 7ad60bc34..516d1639d 100644 --- a/git-upload-pack.txt +++ b/git-upload-pack.txt @@ -55,6 +55,37 @@ ENVIRONMENT admins may need to configure some transports to allow this variable to be passed. See the discussion in linkgit:git[1]. +`GIT_NO_LAZY_FETCH`:: + When cloning or fetching from a partial repository (i.e., one + itself cloned with `--filter`), the server-side `upload-pack` + may need to fetch extra objects from its upstream in order to + complete the request. By default, `upload-pack` will refuse to + perform such a lazy fetch, because `git fetch` may run arbitrary + commands specified in configuration and hooks of the source + repository (and `upload-pack` tries to be safe to run even in + untrusted `.git` directories). ++ +This is implemented by having `upload-pack` internally set the +`GIT_NO_LAZY_FETCH` variable to `1`. If you want to override it +(because you are fetching from a partial clone, and you are sure +you trust it), you can explicitly set `GIT_NO_LAZY_FETCH` to +`0`. + +SECURITY +-------- + +Most Git commands should not be run in an untrusted `.git` directory +(see the section `SECURITY` in linkgit:git[1]). `upload-pack` tries to +avoid any dangerous configuration options or hooks from the repository +it's serving, making it safe to clone an untrusted directory and run +commands on the resulting clone. + +For an extra level of safety, you may be able to run `upload-pack` as an +alternate user. The details will be platform dependent, but on many +systems you can run: + + git clone --no-local --upload-pack='sudo -u nobody git-upload-pack' ... + SEE ALSO -------- linkgit:gitnamespaces[7] @@ -3817,6 +3817,35 @@ unmerged version of a file when a merge is in progress.</p></div> </div>
</div>
<div class="sect1">
+<h2 id="_security">SECURITY</h2>
+<div class="sectionbody">
+<div class="paragraph"><p>Some configuration options and hook files may cause Git to run arbitrary
+shell commands. Because configuration and hooks are not copied using
+<code>git clone</code>, it is generally safe to clone remote repositories with
+untrusted content, inspect them with <code>git log</code>, and so on.</p></div>
+<div class="paragraph"><p>However, it is not safe to run Git commands in a <code>.git</code> directory (or
+the working tree that surrounds it) when that <code>.git</code> directory itself
+comes from an untrusted source. The commands in its config and hooks
+are executed in the usual way.</p></div>
+<div class="paragraph"><p>By default, Git will refuse to run when the repository is owned by
+someone other than the user running the command. See the entry for
+<code>safe.directory</code> in <a href="git-config.html">git-config(1)</a>. While this can help protect
+you in a multi-user environment, note that you can also acquire
+untrusted repositories that are owned by you (for example, if you
+extract a zip file or tarball from an untrusted source). In such cases,
+you’d need to "sanitize" the untrusted repository first.</p></div>
+<div class="paragraph"><p>If you have an untrusted <code>.git</code> directory, you should first clone it
+with <code>git clone --no-local</code> to obtain a clean copy. Git does restrict
+the set of options and hooks that will be run by <code>upload-pack</code>, which
+handles the server side of a clone or fetch, but beware that the
+surface area for attack against <code>upload-pack</code> is large, so this does
+carry some risk. The safest thing is to serve the repository as an
+unprivileged user (either via <a href="git-daemon.html">git-daemon(1)</a>, ssh, or using
+other tools to change user ids). See the discussion in the <code>SECURITY</code>
+section of <a href="git-upload-pack.html">git-upload-pack(1)</a>.</p></div>
+</div>
+</div>
+<div class="sect1">
<h2 id="_further_documentation">FURTHER DOCUMENTATION</h2>
<div class="sectionbody">
<div class="paragraph"><p>See the references in the "description" section to get started
@@ -3879,7 +3908,7 @@ the Git Security mailing list <<a href="mailto:git-security@googlegroups.com" <div id="footer">
<div id="footer-text">
Last updated
- 2024-03-25 17:24:49 PDT
+ 2024-05-14 07:52:20 PDT
</div>
</div>
</body>
@@ -1067,6 +1067,37 @@ The index is also capable of storing multiple entries (called "stages") for a given pathname. These stages are used to hold the various unmerged version of a file when a merge is in progress. +SECURITY +-------- + +Some configuration options and hook files may cause Git to run arbitrary +shell commands. Because configuration and hooks are not copied using +`git clone`, it is generally safe to clone remote repositories with +untrusted content, inspect them with `git log`, and so on. + +However, it is not safe to run Git commands in a `.git` directory (or +the working tree that surrounds it) when that `.git` directory itself +comes from an untrusted source. The commands in its config and hooks +are executed in the usual way. + +By default, Git will refuse to run when the repository is owned by +someone other than the user running the command. See the entry for +`safe.directory` in linkgit:git-config[1]. While this can help protect +you in a multi-user environment, note that you can also acquire +untrusted repositories that are owned by you (for example, if you +extract a zip file or tarball from an untrusted source). In such cases, +you'd need to "sanitize" the untrusted repository first. + +If you have an untrusted `.git` directory, you should first clone it +with `git clone --no-local` to obtain a clean copy. Git does restrict +the set of options and hooks that will be run by `upload-pack`, which +handles the server side of a clone or fetch, but beware that the +surface area for attack against `upload-pack` is large, so this does +carry some risk. The safest thing is to serve the repository as an +unprivileged user (either via linkgit:git-daemon[1], ssh, or using +other tools to change user ids). See the discussion in the `SECURITY` +section of linkgit:git-upload-pack[1]. + FURTHER DOCUMENTATION --------------------- diff --git a/howto/coordinate-embargoed-releases.html b/howto/coordinate-embargoed-releases.html index 542bcf09c..b62716b29 100644 --- a/howto/coordinate-embargoed-releases.html +++ b/howto/coordinate-embargoed-releases.html @@ -1038,7 +1038,7 @@ Thanks, <div id="footer">
<div id="footer-text">
Last updated
- 2024-05-13 12:27:19 PDT
+ 2024-05-14 07:52:43 PDT
</div>
</div>
</body>
diff --git a/howto/keep-canonical-history-correct.html b/howto/keep-canonical-history-correct.html index 3b2ac0376..d7253ceeb 100644 --- a/howto/keep-canonical-history-correct.html +++ b/howto/keep-canonical-history-correct.html @@ -939,7 +939,7 @@ tip of your <em>master</em> again and redo the two merges:</p></div> <div id="footer">
<div id="footer-text">
Last updated
- 2024-05-13 12:27:19 PDT
+ 2024-05-14 07:52:43 PDT
</div>
</div>
</body>
diff --git a/howto/maintain-git.html b/howto/maintain-git.html index 5b24b74ce..16fa266b1 100644 --- a/howto/maintain-git.html +++ b/howto/maintain-git.html @@ -1479,7 +1479,7 @@ $ git update-ref -d $mf/ai/topic</code></pre> <div id="footer">
<div id="footer-text">
Last updated
- 2024-05-13 12:27:19 PDT
+ 2024-05-14 07:52:43 PDT
</div>
</div>
</body>
diff --git a/howto/new-command.html b/howto/new-command.html index 5a6fcb536..cbbaa7baa 100644 --- a/howto/new-command.html +++ b/howto/new-command.html @@ -864,7 +864,7 @@ letter [PATCH 0/n]. <div id="footer">
<div id="footer-text">
Last updated
- 2024-05-13 12:27:18 PDT
+ 2024-05-14 07:52:41 PDT
</div>
</div>
</body>
diff --git a/howto/rebase-from-internal-branch.html b/howto/rebase-from-internal-branch.html index b1c8f0707..f2f03ea75 100644 --- a/howto/rebase-from-internal-branch.html +++ b/howto/rebase-from-internal-branch.html @@ -896,7 +896,7 @@ the #1' commit.</p></div> <div id="footer">
<div id="footer-text">
Last updated
- 2024-05-13 12:27:19 PDT
+ 2024-05-14 07:52:43 PDT
</div>
</div>
</body>
diff --git a/howto/rebuild-from-update-hook.html b/howto/rebuild-from-update-hook.html index dde7c569f..498a81621 100644 --- a/howto/rebuild-from-update-hook.html +++ b/howto/rebuild-from-update-hook.html @@ -848,7 +848,7 @@ This is still crude and does not protect against simultaneous <div id="footer">
<div id="footer-text">
Last updated
- 2024-05-13 12:27:19 PDT
+ 2024-05-14 07:52:43 PDT
</div>
</div>
</body>
diff --git a/howto/recover-corrupted-blob-object.html b/howto/recover-corrupted-blob-object.html index be7cbf43d..3b9021fbb 100644 --- a/howto/recover-corrupted-blob-object.html +++ b/howto/recover-corrupted-blob-object.html @@ -881,7 +881,7 @@ thing.</p></div> <div id="footer">
<div id="footer-text">
Last updated
- 2024-05-13 12:27:19 PDT
+ 2024-05-14 07:52:43 PDT
</div>
</div>
</body>
diff --git a/howto/recover-corrupted-object-harder.html b/howto/recover-corrupted-object-harder.html index 366e02b20..4ea832e10 100644 --- a/howto/recover-corrupted-object-harder.html +++ b/howto/recover-corrupted-object-harder.html @@ -1190,7 +1190,7 @@ int main(int argc, char **argv) <div id="footer">
<div id="footer-text">
Last updated
- 2024-05-13 12:27:19 PDT
+ 2024-05-14 07:52:43 PDT
</div>
</div>
</body>
diff --git a/howto/revert-a-faulty-merge.html b/howto/revert-a-faulty-merge.html index 8877e1d58..67737041d 100644 --- a/howto/revert-a-faulty-merge.html +++ b/howto/revert-a-faulty-merge.html @@ -1026,7 +1026,7 @@ P---o---o---M---x---x---W---x---M2 <div id="footer">
<div id="footer-text">
Last updated
- 2024-05-13 12:27:19 PDT
+ 2024-05-14 07:52:42 PDT
</div>
</div>
</body>
diff --git a/howto/revert-branch-rebase.html b/howto/revert-branch-rebase.html index db87d0e53..cf33c8791 100644 --- a/howto/revert-branch-rebase.html +++ b/howto/revert-branch-rebase.html @@ -908,7 +908,7 @@ Committed merge 7fb9b7262a1d1e0a47bbfdcbbcf50ce0635d3f8f <div id="footer">
<div id="footer-text">
Last updated
- 2024-05-13 12:27:18 PDT
+ 2024-05-14 07:52:42 PDT
</div>
</div>
</body>
diff --git a/howto/separating-topic-branches.html b/howto/separating-topic-branches.html index cf9b2858c..03851c59b 100644 --- a/howto/separating-topic-branches.html +++ b/howto/separating-topic-branches.html @@ -842,7 +842,7 @@ o---o"master"</code></pre> <div id="footer">
<div id="footer-text">
Last updated
- 2024-05-13 12:27:19 PDT
+ 2024-05-14 07:52:42 PDT
</div>
</div>
</body>
diff --git a/howto/setup-git-server-over-http.html b/howto/setup-git-server-over-http.html index 7bd8d33bc..113bf4d96 100644 --- a/howto/setup-git-server-over-http.html +++ b/howto/setup-git-server-over-http.html @@ -1072,7 +1072,7 @@ help diagnosing the problem, but removes security checks.</p></div> <div id="footer">
<div id="footer-text">
Last updated
- 2024-05-13 12:27:19 PDT
+ 2024-05-14 07:52:42 PDT
</div>
</div>
</body>
diff --git a/howto/update-hook-example.html b/howto/update-hook-example.html index 548a6b902..a68d0f563 100644 --- a/howto/update-hook-example.html +++ b/howto/update-hook-example.html @@ -931,7 +931,7 @@ that JC can make non-fast-forward pushes on it.</p></div> <div id="footer">
<div id="footer-text">
Last updated
- 2024-05-13 12:27:18 PDT
+ 2024-05-14 07:52:42 PDT
</div>
</div>
</body>
diff --git a/howto/use-git-daemon.html b/howto/use-git-daemon.html index 24d86c437..24e106c72 100644 --- a/howto/use-git-daemon.html +++ b/howto/use-git-daemon.html @@ -792,7 +792,7 @@ a good practice to put the paths after a "--" separator.</p></div> <div id="footer">
<div id="footer-text">
Last updated
- 2024-05-13 12:27:18 PDT
+ 2024-05-14 07:52:42 PDT
</div>
</div>
</body>
diff --git a/howto/using-merge-subtree.html b/howto/using-merge-subtree.html index d5c0dab08..f53f4e328 100644 --- a/howto/using-merge-subtree.html +++ b/howto/using-merge-subtree.html @@ -849,7 +849,7 @@ Please note that if the other project merges from you, then it will <div id="footer">
<div id="footer-text">
Last updated
- 2024-05-13 12:27:18 PDT
+ 2024-05-14 07:52:42 PDT
</div>
</div>
</body>
diff --git a/howto/using-signed-tag-in-pull-request.html b/howto/using-signed-tag-in-pull-request.html index f72726e9d..0b6374b4a 100644 --- a/howto/using-signed-tag-in-pull-request.html +++ b/howto/using-signed-tag-in-pull-request.html @@ -953,7 +953,7 @@ as part of the merge commit.</p></div> <div id="footer">
<div id="footer-text">
Last updated
- 2024-05-13 12:27:18 PDT
+ 2024-05-14 07:52:42 PDT
</div>
</div>
</body>
|